Cybersecurity: Spear Phishing Covered Under Insurance Policy Where Code Manipulated

CERT-LatestNews Security News SocialEngineering ThreatsCybercrime Uncategorized

Bennett Jones LLP

Increasingly, insureds faced with cyber fraud losses are going to the courts to interpret their policies.  In The Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413 [The Brick Warehouse], and in Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (March 9, 2017, 9th Cir.) [Taylor & Lieberman], fraudulent emails, as part of a social engineering attack, were sent to company employees who acted on them transferring money from the insured’s account. In both cases courts held that coverage under the Fund Transfer Fraud policy was denied as the victim knew or consented to the instructions given to its bank rather than by way of third-party instructions impersonating the insured which would have been covered by the policy.

In Medidata Solutions, Inc. v. Federal Insurance Co., 15-CV-907 (ALC) (July 21, 2017, U.S. D.C. S.D. New York) [Medidata] we see a court assessing coverage under a crime policy. In these kinds of cases, facts are important as well as a good warning of the increasing sophistication of cyber-criminal behaviour.

Medidata used Google’s Gmail service for its email. As part of that service, Google’s servers compare incoming email addresses with Medidata employee profiles and where a match is found, Gmail displays the sender’s name, email address and picture in the “from” field of the email. 

Medidata was contemplating a possible acquisition and instructed its financial team “to be prepared to assist with significant transactions on an urgent basis.” The accounts payable employee got an email purportedly from the Medidata president. That message included the president’s name, email address and picture in the “from” field. The message advised the employee that they were close to concluding an acquisition, the matter was strictly confidential and that a lawyer would contact the employee whose instructions the employee should follow.

That day a person claiming to “be the lawyer called the employee and required the employee to process a wire transfer for him. Due to time constraints the “lawyer” advised the employee that a physical check would not suffice. The employee advised that she would need an email from the Medidata president to authorize the wire transfer as well as approvals from the Medidata vice president and the director of revenue.

The purported Medidata president sent a message to the employee, the Medidata vice president and the director of revenue advising “I’m currently undergoing a financial operation in which I need you to process and approve a payment on my behalf.” As before, the message included the president’s name, email address and picture in the “from” field. In response the employee logged in to the Medidata bank online system and initiated the wire transfer. The vice president and the director of revenue also logged into the bank system and authorized the transfer. A total of $4,770,226 was transferred to the account provided by the “lawyer”.

Later the “lawyer” contacted the employee and requested a second wire transfer. The employee initiated the transfer and the vice president approved it but the director of revenue thought the “reply to” field looked suspicious. In response, the employee contacted the real Medidata president enquiring about the wire transfers only to be advised that no such transfers had been requested.

Medidata contacted the FBI and outside counsel and the resulting investigation revealed that a criminal had altered the emails to appear that they came from the Medidata president.

Medidata made a claim under their insurance policy which included a “Crime Coverage Section” that addressed losses caused by various criminal actions including Computer Fraud Coverage and Funds Transfer Fraud Coverage. 

The insurance policy defined “computer fraud” as “[T]he unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation”.  “Computer Violation” was defined to include both “the fraudulent: (a) entry of Data into … a Computer Systems; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format … directed against an Organization.” 

The “Funds Transfer Fraud by a Third Party” policy had the following policy language:

“Fund Transfer fraud means the fraudulent … electronic… instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.”

As in The Brick Warehouse and Taylor & Lieberman the insured denied the claim as there was no “fraudulent entry of Data into Medidata’s computer system.”

The New York District Court considered a New York Court of Appeals case, Universal Am. Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip. Op. 05516 (June 25, 2015) [Universal] which had denied a fraud claim made by fraudulent claims entered by authorized users of the computer system. In the Universal case that Court stated that the policy “unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.” They held that the insurance covered losses resulting from a dishonest entry or change of data or the program, such as hacking, but not losses resulting from the data itself which while fraudulent was entered by authorized users.

The Medidata court distinguished the Universal decision and noted that the theft occurred using spoofed emails and noted that there are many methods that a criminal may use and to hack a computer system (a technical attack) was only one of them. In the present case the manipulated message had code the tricked Gmail into populating the sent messages with the Medidata president’s information. Thus, the Medidata court interpreted the Universal decision as “finding coverage for fraud where the perpetrator violates the integrity of a computer system through unauthorized access and denying coverage for fraud caused by the submission of fraudulent data by authorized users.”

The insured also raised the decision in Apache Corp. v. Great Western Insurance Co., 662 F.App’x 252 (5th Cir. 2016) [Apache]. In Apache the fraud was achieved through a murky chain of events and the insured was tricked into sending payments to criminals that were for a vendor. The fraud was induced in Apache by a concerted effort of phone calls, spoofed emails and falsified documents.  The Fifth Circuit held that the computer fraud cover was not applicable since “the fraudulent transfer was the result of other events and not directly by computer use.”

The insured also raised the decision in Taylor & Lieberman where the mere sending of emails did not constitute unauthorized entry into the insured’s computer system.

The Medidata court distinguished Apache and Taylor & Lieberman finding that in the present case the spoofed emails had embedded code. As a result, the court found Medidata had demonstrated that its losses were a direct result of a computer violation and could claim under the Computer Fraud Policy.

On the Fund Transfer Fraud policy the Medidata court distinguished prior decisions as they found the way that the criminals used computer code in the message to mask “themselves as an authorized representative and directed Medidata’s accounts payable employee to initiate the electronic bank transfer.” As a result, coverage was shown under that policy.

The nuance in the Medidata case is that the criminals embedded computer code that tricked Google’s Gmail system and Gmail was used as the insured’s email system. This factual difference from earlier cases where social engineering was used to deceive an authorized user to make a mistaken but authorized transfer was sufficient for the Medidata court to find coverage. 

The Medidata decision and the very different results in cases such as Apache, The Brick Warehouse and Taylor & Lieberman show that one need to work very closely with an insurance broker to secure specific policy coverage for different types of attack.  Is it time to review your policy?